5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Trend Micro Apex One Management Console OS Command Injection Vulnerability
CVSS Score: 9.4 (Critical)
Identifier: CVE-2025-54948
Exploit or POC: Yes – At least one attempt to exploit in the wild has been confirmed (https://success.trendmicro.com/en-US/solution/KA-0020652)
Update: CVE-2025-54948 – Trend Micro Security Advisory
Description: CVE-2025-54948 is a critical pre-authentication OS command injection vulnerability present in Trend Micro Apex One on-premises Management Console (version 2019, Management Server version 14039 and below). The flaw arises from improper input validation in the console's backend, specifically in components listening on TCP ports 8080 and 4343, which enables remote attackers to inject and execute arbitrary code as the IUSR user via crafted system calls.
Trend Micro has confirmed at least one real-world exploitation attempt. To mitigate the risk while a full patch was being prepared, the vendor released a short-term fix tool (FixTool_Aug2025) on August 5–6, 2025, which fully blocks known exploit paths but disables the Remote Install Agent feature. A permanent critical patch restoring full functionality was released on August 15, 2025.
Mitigation Recommendation: Apply the short-term mitigation tool (FixTool_Aug2025). It protects against known exploits but disables the Remote Install Agent function.
Apply the permanent critical patch (version SP1 CP B14081 or later) released on August 15, 2025.
If the console's IP is exposed externally, restrict access via network controls or source IP filtering.
Monitor logs for unauthorized access or evidence of code execution attempts.
Remove the Apex One console from internet exposure wherever possible.
Confirm successful patch application and test for restoration of Remote Install Agent functionality if needed.
